Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
arm.elf

Overview

General Information

Sample name:arm.elf
Analysis ID:1580336
MD5:65795b0a1a063b16dc03c52426845d80
SHA1:6de17b811bfab8734dffe12f921558e3b420e8cd
SHA256:58e61631a7f0cb161fb240d250cc223c96abe779ff601b8d96e9abe809189e75
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1580336
Start date and time:2024-12-24 10:37:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Runtime Messages

Command:/tmp/arm.elf
PID:6216
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • arm.elf (PID: 6216, Parent: 6134, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: arm.elfReversingLabs: Detection: 21%
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/arm.elf (PID: 6216)Queries kernel information via 'uname': Jump to behavior
Source: arm.elf, 6216.1.000055620a5a7000.000055620a6d5000.rw-.sdmpBinary or memory string: bU!/etc/qemu-binfmt/arm
Source: arm.elf, 6216.1.000055620a5a7000.000055620a6d5000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm.elf, 6216.1.00007ffccbe0b000.00007ffccbe2c000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm.elf, 6216.1.00007ffccbe0b000.00007ffccbe2c000.rw-.sdmpBinary or memory string: wx86_64/usr/bin/qemu-arm/tmp/arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
arm.elf21%ReversingLabsLinux.Backdoor.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43nsharm5.elfGet hashmaliciousUnknownBrowse
    mipsel.nn.elfGet hashmaliciousOkiruBrowse
      arm6.elfGet hashmaliciousUnknownBrowse
        hmips.elfGet hashmaliciousUnknownBrowse
          sparc.nn.elfGet hashmaliciousOkiruBrowse
            nsharm6.elfGet hashmaliciousUnknownBrowse
              arm7.nn-20241224-0652.elfGet hashmaliciousMirai, OkiruBrowse
                mips.nn.elfGet hashmaliciousOkiruBrowse
                  m68k.nn.elfGet hashmaliciousOkiruBrowse
                    arm6.nn.elfGet hashmaliciousOkiruBrowse
                      91.189.91.42nsharm5.elfGet hashmaliciousUnknownBrowse
                        mipsel.nn.elfGet hashmaliciousOkiruBrowse
                          arm6.elfGet hashmaliciousUnknownBrowse
                            hmips.elfGet hashmaliciousUnknownBrowse
                              sparc.nn.elfGet hashmaliciousOkiruBrowse
                                nsharm6.elfGet hashmaliciousUnknownBrowse
                                  arm7.nn-20241224-0652.elfGet hashmaliciousMirai, OkiruBrowse
                                    mips.nn.elfGet hashmaliciousOkiruBrowse
                                      m68k.nn.elfGet hashmaliciousOkiruBrowse
                                        arm6.nn.elfGet hashmaliciousOkiruBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBnsharm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm6.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          hmips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          sparc.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          nsharm6.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          arm7.nn-20241224-0652.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 91.189.91.42
                                          mips.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          m68k.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm6.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBnsharm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm6.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          hmips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          sparc.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          nsharm6.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          arm7.nn-20241224-0652.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 91.189.91.42
                                          mips.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          m68k.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm6.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          INIT7CHnsharm5.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          arm6.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          hmips.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          sparc.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          nsharm6.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          arm7.nn-20241224-0652.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 109.202.202.202
                                          mips.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          m68k.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          arm6.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                                          Entropy (8bit):6.092936545863201
                                          TrID:
                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                          File name:arm.elf
                                          File size:69'860 bytes
                                          MD5:65795b0a1a063b16dc03c52426845d80
                                          SHA1:6de17b811bfab8734dffe12f921558e3b420e8cd
                                          SHA256:58e61631a7f0cb161fb240d250cc223c96abe779ff601b8d96e9abe809189e75
                                          SHA512:b4a9ccdb1b844c4a44b20590a3e3b7371b975dfebeb4c8dc092e149a28f5eafd259207973dac11458d4c642a2f2af83fe72cff5ff9c2fd110f92b6386d1e6b91
                                          SSDEEP:1536:vHlJpAFvmWfcMt9JqaIzG9Ez5pgrikSRvUT:vHHpAFjf5qaIzG941U
                                          TLSH:37632A81BD819A12C6D152BBFB1E428D772713A8D3EB7203CE25AF21378746B0E7B551
                                          File Content Preview:.ELF...a..........(.........4...T.......4. ...(.....................x...x...............|...|...|........S..........Q.td..................................-...L."...$=..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                                          Static ELF Info

                                          ELF header

                                          Class:ELF32
                                          Data:2's complement, little endian
                                          Version:1 (current)
                                          Machine:ARM
                                          Version Number:0x1
                                          Type:EXEC (Executable file)
                                          OS/ABI:ARM - ABI
                                          ABI Version:0
                                          Entry Point Address:0x8190
                                          Flags:0x202
                                          ELF Header Size:52
                                          Program Header Offset:52
                                          Program Header Size:32
                                          Number of Program Headers:3
                                          Section Header Offset:69460
                                          Section Header Size:40
                                          Number of Section Headers:10
                                          Header String Table Index:9

                                          Sections

                                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                          NULL0x00x00x00x00x0000
                                          .initPROGBITS0x80940x940x180x00x6AX004
                                          .textPROGBITS0x80b00xb00xf4c80x00x6AX0016
                                          .finiPROGBITS0x175780xf5780x140x00x6AX004
                                          .rodataPROGBITS0x1758c0xf58c0x15ec0x00x2A004
                                          .ctorsPROGBITS0x20b7c0x10b7c0x80x00x3WA004
                                          .dtorsPROGBITS0x20b840x10b840x80x00x3WA004
                                          .dataPROGBITS0x20b900x10b900x3840x00x3WA004
                                          .bssNOBITS0x20f140x10f140x50640x00x3WA004
                                          .shstrtabSTRTAB0x00x10f140x3e0x00x0001

                                          Program Segments

                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                          LOAD0x00x80000x80000x10b780x10b786.12580x5R E0x8000.init .text .fini .rodata
                                          LOAD0x10b7c0x20b7c0x20b7c0x3980x53fc2.89520x6RW 0x8000.ctors .dtors .data .bss
                                          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 24, 2024 10:37:45.561674118 CET43928443192.168.2.2391.189.91.42
                                          Dec 24, 2024 10:37:51.192935944 CET42836443192.168.2.2391.189.91.43
                                          Dec 24, 2024 10:37:52.728823900 CET4251680192.168.2.23109.202.202.202
                                          Dec 24, 2024 10:38:06.038901091 CET43928443192.168.2.2391.189.91.42
                                          Dec 24, 2024 10:38:18.325262070 CET42836443192.168.2.2391.189.91.43
                                          Dec 24, 2024 10:38:22.420712948 CET4251680192.168.2.23109.202.202.202
                                          Dec 24, 2024 10:38:46.993452072 CET43928443192.168.2.2391.189.91.42

                                          System Behavior

                                          General

                                          Start time (UTC):09:37:44
                                          Start date (UTC):24/12/2024
                                          Path:/tmp/arm.elf
                                          Arguments:/tmp/arm.elf
                                          File size:4956856 bytes
                                          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                          Chronological Activities